<p>Trilium is designed to store a wide variety of data, including sensitive
  information such as personal journals, credentials, or confidential documents.
  To safeguard this type of content, Trilium offers the option to protect
  notes, which involves the following measures:</p>
<ul>
  <li><strong>Encryption:</strong> Protected notes are encrypted using a key
    derived from your password. This ensures that without the correct password,
    protected notes remain indecipherable. Even if someone gains access to
    your Trilium <a href="#root/_help_wX4HbRucYSDD">database</a>, they won't
    be able to read your encrypted notes.</li>
  <li><strong>Time-limited access:</strong> To access protected notes, you must
    first enter your password, which decrypts the note for reading and writing.
    However, after a specified period of inactivity (10 minutes by default),
    the note is unloaded from memory, requiring you to re-enter your password
    to access it again.
    <ul>
      <li>The session timeout is extended automatically while you're interacting
        with the protected note, so if you're actively editing, the session remains
        open. However, if you switch to an unprotected note, the session timer
        starts, and the session expires after 10 minutes of inactivity unless you
        return to the protected notes.</li>
    </ul>
  </li>
  <li><strong>Protection scope:</strong> Protected notes ensure the confidentiality
    of their content and partially their integrity. While unauthorized users
    cannot read or edit protected notes, they can still delete or move them
    outside of the protected session.</li>
</ul>
<h2>Using Protected Notes</h2>
<p>By default, notes are unprotected. To protect a note, simply click on
  the shield icon next to the note's title, as shown here:</p>
<p>
  <img src="Protected Notes_protecting.gif" alt="example animation of unlocking protected notes">
</p>
<h2>What is Encrypted?</h2>
<p>Trilium encrypts the data within protected notes but not their metadata.
  Specifically:</p>
<p><strong>Encrypted:</strong>
</p>
<ul>
  <li>Note title</li>
  <li>Note content</li>
  <li>Images</li>
  <li>File attachments</li>
</ul>
<p><strong>Not encrypted:</strong>
</p>
<ul>
  <li>Note structure (i.e., it remains visible that there are protected notes)</li>
  <li>Metadata, such as the last modified date</li>
  <li><a href="#root/_help_zEY4DaJG4YT5">Attributes</a>
  </li>
</ul>
<h2>Encryption Details</h2>
<p>The following steps outline how encryption and decryption work in Trilium:</p>
<ol>
  <li>The user enters a password.</li>
  <li>The password is passed through the <a href="https://en.wikipedia.org/wiki/Scrypt">scrypt</a> algorithm
    along with a "password verification" <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">salt</a> to
    confirm that the password is correct.</li>
  <li>The password is then processed again through scrypt with an "encryption"
    salt, which generates a hash.
    <ul>
      <li>Scrypt is used for <a href="https://en.wikipedia.org/wiki/Key_stretching">key stretching</a> to
        make the password harder to guess.</li>
    </ul>
  </li>
  <li>The generated hash is used to decrypt the actual <em>data encryption key</em>.
    <ul>
      <li>The data encryption key is encrypted using <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-128</a> with
        a random <a href="https://en.wikipedia.org/wiki/Initialization_vector">IV</a>.</li>
      <li>The data encryption key is randomly generated during the <a href="#root/_help_wX4HbRucYSDD">database</a> initialization
        and remains constant throughout the document’s lifetime. When the password
        is changed, only this key is re-encrypted.</li>
    </ul>
  </li>
  <li>The data encryption key is then used to decrypt the actual content of
    the note, including its title and body.
    <ul>
      <li>The encryption algorithm used is AES-128 with <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation">CBC mode</a>,
        where a unique IV is generated for each encryption operation and stored
        with the cipher text.</li>
    </ul>
  </li>
</ol>
<h2>Sharing Protected Notes</h2>
<p>Protected notes cannot be shared in the same way as regular notes. Their
  encryption ensures that only authorized users with the correct password
  can access them.</p>